Merge branch '2.4.0-develop' of https://github.com/magento/magento2ce into MC-33823

� Conflicts:
�	dev/tests/functional/tests/app/Magento/Catalog/Test/Block/Adminhtml/Category/Tree.php
�	dev/tests/functional/tests/app/Magento/Sales/Test/Block/Adminhtml/Order/Create.php
�	dev/tests/functional/tests/app/Magento/Sales/Test/Block/Adminhtml/Order/Create/Coupons.php
�	dev/tests/functional/tests/app/Magento/Wishlist/Test/Block/Adminhtml/Customer/Edit/Tab/Wishlist/Grid.php

Author: Oleksandr Gorkun

.php_cs.dist

@@ -10,9 +10,6 @@
 
 $finder = PhpCsFixer\Finder::create()
     ->name('*.phtml')
-    ->exclude('dev/tests/functional/generated')
-    ->exclude('dev/tests/functional/var')
-    ->exclude('dev/tests/functional/vendor')
     ->exclude('dev/tests/integration/tmp')
     ->exclude('dev/tests/integration/var')
     ->exclude('lib/internal/Cm')

app/code/Magento/Backend/App/AbstractAction.php

@@ -16,6 +16,7 @@
 use Magento\Framework\Data\Form\FormKey\Validator as FormKeyValidator;
 use Magento\Framework\Locale\ResolverInterface;
 use Magento\Framework\View\Element\AbstractBlock;
+use Magento\Framework\Encryption\Helper\Security;
 
 /**
  * Generic backend controller
@@ -386,7 +387,7 @@ protected function _validateSecretKey()
         }
 
         $secretKey = $this->getRequest()->getParam(UrlInterface::SECRET_KEY_PARAM_NAME, null);
-        if (!$secretKey || $secretKey != $this->_backendUrl->getSecretKey()) {
+        if (!$secretKey || !Security::compareStrings($secretKey, $this->_backendUrl->getSecretKey())) {
             return false;
         }
         return true;

app/code/Magento/Backend/Test/Mftf/Test/AdminLoginSuccessfulTest.xml

@@ -20,6 +20,7 @@
             <group value="login"/>
         </annotations>
 
+
         <actionGroup ref="AdminLoginActionGroup" stepKey="loginAsAdmin"/>
         <actionGroup ref="AssertAdminSuccessLoginActionGroup" stepKey="assertLoggedIn"/>
         <actionGroup ref="AdminLogoutActionGroup" stepKey="logoutFromAdmin"/>

app/code/Magento/CardinalCommerce/Model/JwtManagement.php

@@ -8,6 +8,7 @@
 namespace Magento\CardinalCommerce\Model;
 
 use Magento\Framework\Serialize\Serializer\Json;
+use Magento\Framework\Encryption\Helper\Security;
 
 /**
  * JSON Web Token management.
@@ -62,7 +63,8 @@ public function decode(string $jwt, string $key): array
         $payload = $this->json->unserialize($payloadJson);
 
         $signature = $this->urlSafeB64Decode($signatureB64);
-        if ($signature !== $this->sign($headB64 . '.' . $payloadB64, $key, $header['alg'])) {
+
+        if (!Security::compareStrings($signature, $this->sign($headB64 . '.' . $payloadB64, $key, $header['alg']))) {
             throw new \InvalidArgumentException('JWT signature verification failed');
         }
 

app/code/Magento/Catalog/Block/Product/ListProduct.php

@@ -358,18 +358,16 @@ public function getIdentities()
 
         $category = $this->getLayer()->getCurrentCategory();
         if ($category) {
-            $identities[] = Product::CACHE_PRODUCT_CATEGORY_TAG . '_' . $category->getId();
+            $identities[] = [Product::CACHE_PRODUCT_CATEGORY_TAG . '_' . $category->getId()];
         }
 
         //Check if category page shows only static block (No products)
-        if ($category->getData('display_mode') == Category::DM_PAGE) {
-            return $identities;
-        }
-
-        foreach ($this->_getProductCollection() as $item) {
-            // phpcs:ignore Magento2.Performance.ForeachArrayMerge
-            $identities = array_merge($identities, $item->getIdentities());
+        if ($category->getData('display_mode') != Category::DM_PAGE) {
+            foreach ($this->_getProductCollection() as $item) {
+                $identities[] = $item->getIdentities();
+            }
         }
+        $identities = array_merge(...$identities);
 
         return $identities;
     }
@@ -382,7 +380,7 @@ public function getIdentities()
      */
     public function getAddToCartPostParams(Product $product)
     {
-        $url = $this->getAddToCartUrl($product);
+        $url = $this->getAddToCartUrl($product, ['_escape' => false]);
         return [
             'action' => $url,
             'data' => [

app/code/Magento/Catalog/Controller/Adminhtml/Product/Action/Attribute/Save.php

@@ -7,15 +7,17 @@
 namespace Magento\Catalog\Controller\Adminhtml\Product\Action\Attribute;
 
 use Magento\AsynchronousOperations\Api\Data\OperationInterface;
+use Magento\Catalog\Model\ProductFactory;
 use Magento\Catalog\Api\Data\ProductAttributeInterface;
 use Magento\Eav\Model\Config;
 use Magento\Framework\App\Action\HttpPostActionInterface;
 use Magento\Backend\App\Action;
 use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Exception\LocalizedException;
 use Magento\Framework\Stdlib\DateTime\TimezoneInterface;
 
 /**
- * Class used for saving mass updated products attributes.
+ * Class responsible for saving product attributes.
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
 class Save extends \Magento\Catalog\Controller\Adminhtml\Product\Action\Attribute implements HttpPostActionInterface
@@ -60,6 +62,11 @@ class Save extends \Magento\Catalog\Controller\Adminhtml\Product\Action\Attribut
      */
     private $eavConfig;
 
+    /**
+     * @var ProductFactory
+     */
+    private $productFactory;
+
     /**
      * @param Action\Context $context
      * @param \Magento\Catalog\Helper\Product\Edit\Action\Attribute $attributeHelper
@@ -71,6 +78,7 @@ class Save extends \Magento\Catalog\Controller\Adminhtml\Product\Action\Attribut
      * @param int $bulkSize
      * @param TimezoneInterface $timezone
      * @param Config $eavConfig
+     * @param ProductFactory $productFactory
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -83,7 +91,8 @@ public function __construct(
         \Magento\Authorization\Model\UserContextInterface $userContext,
         int $bulkSize = 100,
         TimezoneInterface $timezone = null,
-        Config $eavConfig = null
+        Config $eavConfig = null,
+        ProductFactory $productFactory = null
     ) {
         parent::__construct($context, $attributeHelper);
         $this->bulkManagement = $bulkManagement;
@@ -96,6 +105,7 @@ public function __construct(
             ->get(TimezoneInterface::class);
         $this->eavConfig = $eavConfig ?: ObjectManager::getInstance()
             ->get(Config::class);
+        $this->productFactory = $productFactory ?? ObjectManager::getInstance()->get(ProductFactory::class);
     }
 
     /**
@@ -121,9 +131,10 @@ public function execute()
         $attributesData = $this->sanitizeProductAttributes($attributesData);
 
         try {
+            $this->validateProductAttributes($attributesData);
             $this->publish($attributesData, $websiteRemoveData, $websiteAddData, $storeId, $websiteId, $productIds);
             $this->messageManager->addSuccessMessage(__('Message is added to queue'));
-        } catch (\Magento\Framework\Exception\LocalizedException $e) {
+        } catch (LocalizedException $e) {
             $this->messageManager->addErrorMessage($e->getMessage());
         } catch (\Exception $e) {
             $this->messageManager->addExceptionMessage(
@@ -152,10 +163,12 @@ private function sanitizeProductAttributes($attributesData)
             }
 
             $attribute = $this->eavConfig->getAttribute(\Magento\Catalog\Model\Product::ENTITY, $attributeCode);
+
             if (!$attribute->getAttributeId()) {
                 unset($attributesData[$attributeCode]);
                 continue;
             }
+
             if ($attribute->getBackendType() === 'datetime') {
                 if (!empty($value)) {
                     $filterInput = new \Zend_Filter_LocalizedToNormalized(['date_format' => $dateFormat]);
@@ -183,6 +196,25 @@ private function sanitizeProductAttributes($attributesData)
         return $attributesData;
     }
 
+    /**
+     * Validate product attributes data.
+     *
+     * @param array $attributesData
+     *
+     * @return void
+     * @throws LocalizedException
+     */
+    private function validateProductAttributes(array $attributesData): void
+    {
+        $product = $this->productFactory->create();
+        $product->setData($attributesData);
+
+        foreach (array_keys($attributesData) as $attributeCode) {
+            $attribute = $this->eavConfig->getAttribute(\Magento\Catalog\Model\Product::ENTITY, $attributeCode);
+            $attribute->getBackend()->validate($product);
+        }
+    }
+
     /**
      * Schedule new bulk
      *
@@ -192,7 +224,7 @@ private function sanitizeProductAttributes($attributesData)
      * @param int $storeId
      * @param int $websiteId
      * @param array $productIds
-     * @throws \Magento\Framework\Exception\LocalizedException
+     * @throws LocalizedException
      *
      * @return void
      */
@@ -246,7 +278,7 @@ private function publish(
                 $this->userContext->getUserId()
             );
             if (!$result) {
-                throw new \Magento\Framework\Exception\LocalizedException(
+                throw new LocalizedException(
                     __('Something went wrong while processing the request.')
                 );
             }

app/code/Magento/Catalog/Controller/Adminhtml/Product/Attribute/Save.php

@@ -224,7 +224,7 @@ public function execute()
                     return $this->returnResult('catalog/*/', [], ['error' => true]);
                 }
                 // entity type check
-                if ($model->getEntityTypeId() != $this->_entityTypeId) {
+                if ($model->getEntityTypeId() != $this->_entityTypeId || array_key_exists('backend_model', $data)) {
                     $this->messageManager->addErrorMessage(__('We can\'t update the attribute.'));
                     $this->_session->setAttributeData($data);
                     return $this->returnResult('catalog/*/', [], ['error' => true]);
@@ -261,6 +261,8 @@ public function execute()
                 unset($data['apply_to']);
             }
 
+            unset($data['entity_type_id']);
+
             $model->addData($data);
 
             if (!$attributeId) {

app/code/Magento/Catalog/Model/Template/Filter.php

@@ -14,8 +14,6 @@
 
 /**
  * Work with catalog(store, website) urls
- *
- * @package Magento\Catalog\Model\Template
  */
 class Filter extends \Magento\Framework\Filter\Template
 {
@@ -30,6 +28,7 @@ class Filter extends \Magento\Framework\Filter\Template
      * Whether to allow SID in store directive: NO
      *
      * @var bool
+     * @deprecated SID query parameter is not used in URLs anymore.
      */
     protected $_useSessionInUrl = false;
 
@@ -81,10 +80,14 @@ public function setUseAbsoluteLinks($flag)
      *
      * @param bool $flag
      * @return $this
+     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
+     * @deprecated SID query parameter is not used in URLs anymore.
      */
     public function setUseSessionInUrl($flag)
     {
-        $this->_useSessionInUrl = $flag;
+        // phpcs:disable Magento2.Functions.DiscouragedFunction
+        trigger_error('Session ID is not used as URL parameter anymore.', E_USER_DEPRECATED);
+
         return $this;
     }
 
@@ -126,6 +129,7 @@ public function viewDirective($construction)
      */
     public function mediaDirective($construction)
     {
+        // phpcs:disable Magento2.Functions.DiscouragedFunction
         $params = $this->getParameters(html_entity_decode($construction[2], ENT_QUOTES));
         return $this->_storeManager->getStore()
                 ->getBaseUrl(\Magento\Framework\UrlInterface::URL_TYPE_MEDIA) . $params['url'];

app/code/Magento/Catalog/Test/Unit/Block/Product/ListProductTest.php

@@ -235,7 +235,7 @@ public function testGetAddToCartPostParams()
             ->willReturn(true);
         $this->cartHelperMock->expects($this->any())
             ->method('getAddUrl')
-            ->with($this->productMock, [])
+            ->with($this->productMock, ['_escape' => false])
             ->willReturn($url);
         $this->productMock->expects($this->once())
             ->method('getEntityId')

app/code/Magento/Checkout/Controller/Sidebar/RemoveItem.php

@@ -19,6 +19,9 @@
 use Magento\Framework\Exception\LocalizedException;
 use Psr\Log\LoggerInterface;
 
+/**
+ * Controller for removing quote item from shopping cart.
+ */
 class RemoveItem extends Action implements HttpPostActionInterface
 {
     /**
@@ -96,6 +99,9 @@ public function execute()
             $this->sidebar->removeQuoteItem($itemId);
         } catch (LocalizedException $e) {
             $error = $e->getMessage();
+        } catch (\Zend_Db_Exception $e) {
+            $this->logger->critical($e);
+            $error = __('An unspecified error occurred. Please contact us for assistance.');
         } catch (Exception $e) {
             $this->logger->critical($e);
             $error = $e->getMessage();